The NYT has reported on the practice of outsourcing the breaking of captchas to people in Bangladesh, India and China. The work is neither glamorous nor well-paid at 80 cents to $1.20 per 1,000 solved captchas, however there seem to be enough takers nonetheless. The work is farmed out through online exchanges like Freelancer.com, where for example an operator in Bangladesh runs an operation turning out captcha solutions 24 hours a day, seven days a week.
Macduff Hughes, an engineering director at Google says that “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.” So we should see captchas as a deterrent rather than a foolproof way of distinguishing people from malware. In fact if people are being employed to break these little authentication puzzles then they are working as intended – to make sure that a person is behind the answer – unfortunately malware is masking a mechanical turk. The inventors of captchas probably did not expect that solving these puzzles could be farmed out so easily using Web 2.0 technology.
The bigger threat probably comes from the direct computer solution to captchas, which can be scaled and provide solutions in real time. I recently posted on the very thorough analysis of the Koobface botnet at abuse.ch, including a section on its captcha breaking network. The captchas are broken in at most 3 minutes, and in many cases just a few seconds. There is also evidence presented by Webroot that audio captchas are also being broken in real time by automated means.